At 10:32 AM -0500 7/31/97, Robert T. Nelson wrote:
On Wed, 30 Jul 1997, Michael Dillon wrote:
Maybe some of us have thought about it and realized that the best course of action is to:
a. not talk publicly about this lest the cracker community learn too much
I disagree that we should not talk publicly about flaws in the design of the network. I think that this information should be as widely disseminated as possible.
The way I see it, it is valuable to admit that flaws exist and to make sure as many people as possible know the best possible solutions to the problem, in this case installing BIND 4.9.6 or the latest BIND 8. But I don't think that it serves anyone to discuss the details of how these flaws can be exploited. Yes, I know that the security experts discuss this stuff in their own forums and that some crackers are there learning and building exploit tools. But I feel uncomfortable when the detailled discussion of exploit techniques spills over into too many other forums.
In 1853 Charles Tomlinson wrote a treatise on Locks. This document describes the reasons that the "good guys" should discuss the construction (and failings) of locks in public, otherwise only rogues will have the information. He goes on to further state that rogues will be the first to *apply* such knowledge.
No argument here. And thank you for pointing out how we aren't really breaking as much new ground here as some people think.
Furthermore, not discussing security issues, and their implications publicly leads to hysteria and paranoia throughout the system. Do you suggest that we gain protection from having uneducated network administrators?
Nope. I think it's great to educate network administrators on what they can do today to protect their networks and I think that a good way to combat paranoia is to suggest that there is an action available that will increase your protection. When the public believes that something can be done, i.e. upgrade BIN, filter bogus source routes, block broadcasts, then they generally pressure the technical people to get cracking and implement the solutions. This is not paranoia. ******************************************************** Michael Dillon voice: +1-415-482-2840 Senior Systems Architect fax: +1-415-482-2844 PRIORI NETWORKS, INC. http://www.priori.net "The People You Know. The People You Trust." ********************************************************